CBA released a statement on Thursday in which it admitted that, in May 2016, it was unable to confirm the scheduled destruction of two magnetic tapes used to print bank statements. The tapes contained information including customer names, addresses, account numbers and transaction details of approximately 19 million CBA customers.
“Most likely, the tapes have been disposed of, but without the evidence, we immediately launched an investigation and notified our regulators: APRA and the privacy commissioner,” CBA Group executive, retail banking services, Angus Sullivan said.
CBA launched an “independent forensic investigation” by KPMG, which found no evidence that customer data has been compromised or accessed by third parties.
After consulting with the privacy commissioner, CBA decided not to inform customers that their data was missing, given “the outcome of our investigation found the tapes were most likely disposed of,” Mr Sullivan said.
“In these cases, we need to balance the need to alert customers without unnecessarily alarming them,” Mr Sullivan said.
On Thursday, the Office of the Australian Information Commissioner (OAIC) released a statement, saying that it was notified of an “incident” by CBA in 2016.
The OAIC said: “Having regard to the findings in the report by the Australian Prudential Regulation Authority into the CBA released on Tuesday, the OAIC has made further inquiries in relation to this matter and has sought information from the CBA to satisfy the OAIC that the CBA has taken on board lessons learnt from this incident to ensure the privacy of customers’ personal information is adequately protected.”